Load version_map metadata for all tracked software and use it for
detection at render time. This catches Cirrus, Cocoon, and any other
software with plain semver versions, not just name-prefixed ones.
Detection chain: DB field → exact version map → extracted semver map
→ version string prefix → default bluesky-pds.

Don't wait for cron to populate pds_software — infer it immediately
by checking if the version string starts with a known software name
(e.g. "millipds v0.0.5..." → millipds).

Read legacy latest_pds_version key until cron populates new per-software
keys. Extract clean semver from version strings like "millipds v0.0.5.dev17+..."
for both software detection and trust score comparison.

Servers running alternative PDS implementations (millipds, cirrus, cocoon,
etc.) are now detected by matching their version against known GitHub tags
and compared against their own software's latest release for the trust
score. Link-only software without version tracking gets benefit of the
doubt. Software name shows as a clickable link in the directory. JSON API
includes per-software latest versions alongside the existing field.

- Strip trailing slashes from PDS URLs to prevent double-slash in xrpc paths
- Add User-Agent header to GitHub API requests and preserve etag on errors
- Suppress individual listRepos 404 logs, show summary count instead
- Add DNS (7d) and geo (30d) cache TTL to refresh stale enrichment data

Validate PDS URLs on ingest (https-only, no private IPs, no bare IPs,
no single-label hostnames). Guard enrichment against DNS rebinding by
checking resolved IPs. Sanitize href attributes to block javascript:
URIs and harden esc() with single-quote escaping.

ETag caching for state.json and GitHub tags API skips the full 2900-server
upsert and version update when data hasn't changed. Enrichment reuses
cached DNS/geo data from SQLite instead of re-resolving every run.
Cache-Control headers on HTML/API responses (1hr max-age). Batch size
bumped from 50 to 75.

Five signals at 20% each: contact email, ToS, privacy policy,
>5 users, latest PDS version. Sorted by score descending.
Removed sorting controls and outdated version toggle.
Added trust score explanation footnote.

- listRepos cursor is always present on non-empty pages, so check
repos.length >= 1000 instead of cursor presence
- Only list servers that responded to health endpoint (version != null)
- Smarter enrichment queue: never-enriched > missing user count >
working > dead
- Per-server logging in cron for easier debugging
- Remove one-time reset (already executed)

- Servers with any trust signal (email/ToS/PP) always shown regardless
of outdated filter
- Each PDS fetch gets its own 5s timeout instead of sharing one
- Add error logging to listRepos for debugging user count failures
- Prioritize re-enriching servers missing user counts
- Footer: single row with middot separators, link to Tangled source

- Strip v prefix from GitHub version tags to match PDS health output
- Only show enriched servers (with geo/version data)
- Tier servers: featured (contact email) > ToS/PP > rest
- Featured servers always shown regardless of outdated toggle
- Add pdsmoover "Moove here" links, golden for featured servers
- Bump enrichment batch to 50 for faster initial population